mosquitto-users team mailing list archive

Thread
Date

Re: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

To: Abdul Wahid <abdulwahidw@xxxxxxxxx>
From: ನಾಗೇಶ್ ಸುಬ್ರಹ್ಮಣ್ಯ (Nagesh S) <nageshblore@xxxxxxxxx>
Date: Mon, 21 Oct 2013 22:21:55 +0530
Cc: "mosquitto-users@xxxxxxxxxxxxxxxxxxx" <mosquitto-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CA+5g9E-wz5WepixLdEYeQtBh4Gs2tLbGSG0y88aMTJOF-9uYjw@mail.gmail.com>

Try setting IP address for CN of your certificate.


On Mon, Oct 21, 2013 at 1:23 PM, Abdul Wahid <abdulwahidw@xxxxxxxxx> wrote:

> Hi,
>
>
>
> I am new to this certificates and mosquito.
>
> I am trying to update mosquito version from 1.1.1 to 1.2.1.
>
> After replacing the binaries and libraries with the new one , I am getting
> the following error while subscribing.
>
>
>
> *mosquitto_sub -h 192.168.255.2 -p 8883 -v -t "test" --cafile
> /etc/certs/CA/ca.crt –d*
>
>
>
> Client mosqsub/20375-CLA-0 sending CONNECT
>
> OpenSSL Error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Error: Protocol error
>
>
>
> I checked some other blogs for the similar issue and some of them showed
> that this could be because of the hostname not matching the CN name in the
> CA certificate.
>
> I did check the certificate and this is what I have and I could see that
> the certificate has the IP address, but still the connect is failing with
> certificate verification error .
>
> a)      Openssl x509 –in ca.crt –noout –text
>
> -------
>
> Subject: CN=FOOBAR rootCA
>
> Subject Public Key Info:
>
> -------
>
>
>
> b)       I was also able to connect using openssl s_client
>
> OpenSSL> s_client -host 192.168.255.2 -port 8883 -CAfile
> /etc/certs/CA/ca.crt
>
> CONNECTED(00000003)
>
> depth=1 CN = FOOBAR rootCA
>
> verify return:1
>
> depth=0 C = country, ST = state, O = office, OU = unit, CN =
> 192.168.255.130, CN = 192.168.255.2
>
> verify return:1
>
> ---
>
> Certificate chain
>
>  0 s:/C=country/ST=state/O=office/OU=unit/CN=
> 192.168.255.130/CN=192.168.255.2
>
>    i:/CN=FOOBAR rootCA
>
>  1 s:/CN=FOOBAR rootCA
>
>    i:/CN=FOOBAR rootCA
>
> ---
>
> Server certificate
>
> -----
>
>     Start Time: 1382334940
>
>     Timeout   : 300 (sec)
>
>     Verify return code: 0 (ok)
>
> ---
>
>  One thing to mention here is the subscription is successful when
> "--insecure" is used in added to mosquiito_sub command.
>
> Can I get some assistance here ? Kindly let me know if I am missing out on
> something or any configuration or so.
>
>
>
> Regards,
>
> Wahid
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>
>

References

SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
From: Abdul Wahid, 2013-10-21